Session 2

FFIEC Guidance and Supplement to Authentication in an Internet Banking

Environment Jim Vilker, NCCO

VP of Professional Services, CMS Audit Link, A Division of CU*Answers

Patrick Sickels, JD, CISA, CRISC Internal Auditor, CU*Answers

Laura Welch-Vilker Manager of Education Services, CU*Answers

December 15, 2011

1

Agenda

• Finalizing the risk assessment • If necessary updating policies and procedures • Updating the account opening process

– CIP Cards and Procedures • Utilizing It’s Me 247 and PIB global settings • Utilizing PIB individual settings • Evaluating suspicious activity • Member and staff educational requirements

2

Five Step Plan for FFIEC Compliance

Step One: Conduct a Risk Assessment on All Online Banking Accounts If the account involves large dollar amounts passing from the credit union to outside third parties, the

risk should be considered high, and the credit union should act accordingly. Step Two: If Commercial, Set Administrative Functions Business accounts should have enhanced controls for system administrators who have privileges for

setting access, configurations, and limits. Step Three: Set Layered Security (PIB) Depending on the risk level of the account, set up access and authorization controls, and set thresholds

for account activity including transaction value thresholds. Step Four: Detect and Respond to Suspicious Activity Credit unions can already review the transactional history of clients for suspicious activity.

Furthermore, CU*BASE is undergoing development to provide each credit union with more tools to monitor the transaction behavior of members. These new features will be available in 2012.

Step Five: Customer Awareness and Education At least annually, advise your members on how to protect their accounts, and provide regular follow-up

on new threats or ways to enhance the security of their online banking activity.

3

Risk Assessment Example

Overall Risk Assessment (Product Feature) See sample: http://auditlink.cuanswers.com/2011/12/sample-its-me-247-risk-assessments-in-response-to-ffiec/ “Calling for all samples”

4

Evaluating Results of Risk Assessment

What will your risk assessment tell you?

What if the credit union doesn’t offer commercial accounts? What if the credit union is SEG based and has very little suspicious activity? What if the credit union has online commercial accounts? What if the credit union already has suspicious activity?

Based upon the answer to the above questions, the credit union will need to determine what changes are necessary to the: Organization Operations Ongoing auditing and monitoring

5

Evaluating Suspicious Activity Using MNAUDT #9 and #10

All credit unions should perform this analysis when completing the risk assessment and based upon the findings of the assessment determine if this analysis needs to be preformed on a monthly basis for existing accounts.

6

Tools for Completing Your Risk Assessment

MNAUDT # 10

7

Ongoing Risk Assessment Maintenance

1. Conduct on no less than an annual basis 2. Conduct whenever there is a major change to

online banking offerings, account types, field of membership, merger, new cyber related threats

3. Provide education on no less than a yearly basis

8

Account Opening Procedures Changes to CIP card/process

Questions to ask which trigger additional information gathering: • Commercial in nature • Expectation of high internet-based third party

payments • Classified by FFIEC as being high-risk • Utilizing due diligence flag for high-risk accounts

9

Example of Account Risk Assessment “Calling on all CIP cards”

Transaction Amounts Destination Risk The transaction amounts are large (such as commercial accounts)

To outside third parties, such as A2A or Online Bill Pay

Should be considered HIGH

The transaction amounts are small

Small transactions to outside third parties, or larger transactions to parties within the credit union

Should be considered MEDIUM

The transaction amounts are small

The transactions are within the same accounts of the member (e.g. savings to checking) or the possibility of loss is minimal

Should be considered LOW

10

Commercial Accounts

Credit unions need to ensure that business accounts have additional controls when setting up system administration functions. Credit unions can manage these controls by using PIB (Personal Internet Branch). PIB allows credit unions to set a large range of controls regarding the personnel authorized to make changes, what activity can be done online, and in what amounts. PIB is the primary system for protecting both the member’s funds and protecting the credit union from liability.

11

Commercial Accounts

Control Purpose Email notification

Members must always be notified when there is an administrative change to online banking; confirmation emails may need to go to someone other than an authorized user

Confirmation codes

Requires a confirmation code before a high-risk transaction can be performed

Password changes

Should always be through the credit union, including changes to confirmation codes

12

Layered Security

Layered Security is a term meaning that a credit union should have multiple controls with

respect to online banking so that if one control fails another prevents or mitigates the damage.

The PIB (Personal Internet Branch) system allows the credit union to set up layered security for each and every online banking account in accordance

with the new FFIEC Guidelines.

PIB should now be considered a requirement for any member engaging in high risk online banking activity. The credit union may wish to control PIB

changes in-house, rather than have the member make these changes.

13

Layered Security Control Purpose

Email notification Should be used for every transaction that takes place in online banking, as well as password resets and activation keys

Transaction dollar limits

Critical in high risk transfers to outside third parties; configure the maximum dollars per day and per month

Transaction time limits

Restricts when transfers can take place; useful for businesses who do not need 24/7 online banking access

Disable unused transactions

Credit unions should disable all transactional activity not required by the consumer

Set custom/complex PIN and passwords

Should be recommended for any high risk transactions

Audio banking Determines what activities are allowed over the phone

PC Registration Restricts what PCs can be used to perform the transactions

Geographic Location Restricts the locations where transactions can be performed

Confirmation codes Requires a confirmation code before a high-risk transaction can be performed

14

Layered Security

When? Ideally at account setup but ASAP for all high-risk accounts.

15

Global Security Settings MNMGMC #16

16

MNCNFE #1

17

MNCNFE #1 – A2A

18

MNCNFE #1 - PIB

19

MNCNFE #1 - PIB

20

MNCNFE #1 - PIB

21

PIB at the Account Level – MNSERV # 22

22

MNSERV #22 – Change PIB Settings

23

MNSERV #22 – Change PIB Settings

24

PIB Member Experience

25

Ongoing Monitoring – MNAUDT # 10

26

Member Education An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access. An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials. Note: From a security standpoint, this should be rarely, if ever.

27

Member Education A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically. A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found. A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

28

Sharing Information CU*Answers ExamShare and PolicySwap will be live March 1, 2012. Until that time, please share your: Assessments Policies CIP cards and procedures

29

What’s Next

• Mid January web conference for reviewing examination checklist (if completed by FFIEC) and peer processes and policies (collaborative with CU*Answers clients)

30

Reference Material

PIB Made Simple – Try it with your staff http://cuanswers.com/pdf/cb_ref/PIBStaffTryIt.pdf#2009-02-12

Roll-Out Strategies http://cuanswers.com/pdf/cb_ref/PIBRollout.pdf#2010-10-12

PIB Configuration and User Guide http://cuanswers.com/pdf/cb_ref/PIBConfiguration.pdf#2011-12-09

Answering Your Questions about PIB http://cuanswers.com/pdf/security/CUFAQs.pdf#2007-12-07

31

Questions?

32

LEGAL DISCLAIMER

The information contained in this email does not constitute legal advice. We make no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in this email. You should retain and rely on your own legal counsel, and nothing herein should be considered a substitute for the advice of competent legal counsel. These materials are intended, but not promised or guaranteed to be current, complete, or up-to-date and should in no way be taken as an indication of future results. All information is provided "as is", with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no event will CU*Answers, its related partnerships or corporations, or the partners, agents or employees thereof be liable to you or anyone else for any decision made or action taken in reliance on the information provided or for any consequential, special or similar damages, even if advised of the possibility of such damages.

33